If you play a mobile game built with Unity's engine or using Unity's advertising SDK, Unity may collect your device ID, IP address, and gameplay behavior even though you never signed up for anything with Unity directly.
This analysis describes what Unity's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision affects potentially hundreds of millions of mobile game players who have no direct relationship with Unity but whose data Unity collects and uses for advertising profiling.
Players of Unity-powered games may have their device identifiers, IP addresses, and behavioral data collected and used to build advertising profiles without ever consciously agreeing to Unity's terms, raising questions about the adequacy of indirect consent in this context.
How other platforms handle this
Through Cookies and Similar Technologies: Cookies are small text files that are placed on your device, commonly through your browser, and that are used to record information such as settings. Depending on your settings, certain of our Services, including our website, may receive information about yo...
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
Monitoring
Unity has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect data from end users of games and apps that are built using Unity's technology or that use Unity's services. This includes data collected through our SDKs, such as device information (including advertising identifiers), IP address, gameplay data and interactions, and other usage information. We may combine this data with other information we have about you.— Excerpt from Unity's Unity Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR and UK GDPR, particularly the requirements around legal basis for processing and transparency obligations toward data subjects who have no direct relationship with Unity as controller. The policy cites legitimate interests as a basis for certain processing, which EU supervisory authorities have scrutinized in programmatic advertising and SDK-based tracking contexts. COPPA is also implicated where games accessible to children embed Unity's SDK. The FTC's authority over deceptive data practices is relevant for US-based end users. GOVERNANCE EXPOSURE: High. The collection of personal data from end users via embedded third-party SDKs, relying on legitimate interests or downstream developer consent, is one of the most actively scrutinized areas of EU data protection enforcement. The scale of Unity's SDK deployment amplifies regulatory exposure, and the adequacy of consent or notice provided to end users through the game publisher layer is operationally difficult to verify or guarantee. JURISDICTION FLAGS: EU and EEA users receive the highest protection under GDPR, and legitimate interests assessments for advertising-related processing face a high bar under EDPB guidance. California residents have CCPA and CPRA opt-out rights. Users in jurisdictions with sector-specific mobile privacy regulations (such as Illinois for biometric data if gameplay involves such collection) may have additional protections. COPPA creates heightened exposure where games are accessible to children under 13. CONTRACT AND VENDOR IMPLICATIONS: Game developers and publishers who embed Unity's SDK are likely subject to Unity's developer terms, which may include data processing agreements under GDPR Article 28. Procurement teams at publishing organizations should verify that adequate DPAs are in place, that their own end-user privacy notices disclose Unity's data collection, and that opt-out mechanisms are surfaced to players. COMPLIANCE CONSIDERATIONS: Compliance teams should map all products using Unity's SDK and audit whether end-user privacy disclosures adequately reference Unity's data collection. Legitimate interests assessments covering SDK-based advertising data collection should be reviewed and documented. For EU-facing products, consent management platform configurations should be evaluated to ensure Unity's processing is covered within the IAB TCF consent string or equivalent mechanism.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision affects potentially hundreds of millions of mobile game players who have no direct relationship with Unity but whose data Unity collects and uses for advertising profiling.
Players of Unity-powered games may have their device identifiers, IP addresses, and behavioral data collected and used to build advertising profiles without ever consciously agreeing to Unity's terms, raising questions about the adequacy of indirect consent in this context.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unity.